draft-ietf-isms-radius-usage-01.txt   draft-ietf-isms-radius-usage-02.txt 
Network Working Group K. Narayan Network Working Group K. Narayan
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track D. Nelson Intended status: Standards Track D. Nelson
Expires: May 21, 2008 Elbrys Networks, Inc. Expires: August 27, 2008 Elbrys Networks, Inc.
November 18, 2007 February 24, 2008
Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Remote Authentication Dial-In User Service (RADIUS) Usage for Simple
Network Management Protocol (SNMP) Transport Models Network Management Protocol (SNMP) Transport Models
draft-ietf-isms-radius-usage-01.txt draft-ietf-isms-radius-usage-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 21, 2008. This Internet-Draft will expire on August 27, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This memo describes the use of a Remote Authentication Dial-In User This memo describes the use of a Remote Authentication Dial-In User
Service (RADIUS) authentication and authorization service by Simple Service (RADIUS) authentication and authorization service by Simple
Network Management Protocol (SNMP) secure Transport Models to Network Management Protocol (SNMP) secure Transport Models to
authenticate users and authorize creation of secure transport authenticate users and authorize creation of secure transport
sessions. While the recommendations of this memo are generally sessions. While the recommendations of this memo are generally
applicable to a broad class of SNMP Transport Models, the examples applicable to a broad class of SNMP Transport Models, the examples
focus on the Secure Shell Transport Model. focus on the Secure Shell Transport Model.
skipping to change at page 2, line 23 skipping to change at page 2, line 23
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. RADIUS Operational Model . . . . . . . . . . . . . . . . . 3 1.2. RADIUS Operational Model . . . . . . . . . . . . . . . . . 3
1.3. RADIUS Usage With Secure Transports . . . . . . . . . . . 5 1.3. RADIUS Usage With Secure Transports . . . . . . . . . . . 5
1.4. SNMP Transport Models . . . . . . . . . . . . . . . . . . 5 1.4. SNMP Transport Models . . . . . . . . . . . . . . . . . . 5
2. RADIUS Usage for SNMP Transport Models . . . . . . . . . . . . 6 2. RADIUS Usage for SNMP Transport Models . . . . . . . . . . . . 6
2.1. RADIUS Authentication for Transport Protocols . . . . . . 7 2.1. RADIUS Authentication for Transport Protocols . . . . . . 7
2.2. RADIUS Authorization for Transport Protocols . . . . . . . 7 2.2. RADIUS Authorization for Transport Protocols . . . . . . . 7
2.3. SNMP Service Authorization . . . . . . . . . . . . . . . . 8 2.3. SNMP Service Authorization . . . . . . . . . . . . . . . . 8
2.4. SNMP Access Control Authorization . . . . . . . . . . . . 9 2.4. SNMP Access Control Authorization . . . . . . . . . . . . 10
3. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 9 3. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 10
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . . 12
7.2. Informative References . . . . . . . . . . . . . . . . . . 12 7.2. Informative References . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
Intellectual Property and Copyright Statements . . . . . . . . . . 14 Intellectual Property and Copyright Statements . . . . . . . . . . 14
1. Introduction 1. Introduction
1.1. General 1.1. General
This memo describes the use of a Remote Authentication Dial-In User This memo describes the use of a Remote Authentication Dial-In User
Service (RADIUS) authentication and authorization service by Simple Service (RADIUS) authentication and authorization service by Simple
Network Management Protocol (SNMP) secure Transport Models to Network Management Protocol (SNMP) secure Transport Models to
authenticate users and authorize creation of secure transport authenticate users and authorize creation of secure transport
skipping to change at page 6, line 39 skipping to change at page 6, line 39
authenticated principal to use SNMP over a specific secure Transport authenticated principal to use SNMP over a specific secure Transport
Model. This memo describes mechanisms by which such information can Model. This memo describes mechanisms by which such information can
be requested from a RADIUS server and enforced within the NAS. The be requested from a RADIUS server and enforced within the NAS. The
SNMP architecture, as described in RFC 3411, does not make a SNMP architecture, as described in RFC 3411, does not make a
distinction between user authentication and service authorization. distinction between user authentication and service authorization.
In the case of existing, deployed security models, such as the User- In the case of existing, deployed security models, such as the User-
based Security Model (USM), this distinction is not significant. For based Security Model (USM), this distinction is not significant. For
the SNMP Transport Models and the SNMP Transport Security Model the SNMP Transport Models and the SNMP Transport Security Model
(TSM), this distinction is relevant, and perhaps important. (TSM), this distinction is relevant, and perhaps important.
It is relevant because of the way in which SSH implementations have
traditionally integrated with RADIUS Clients. Those SSH
implementations traditionally seek to obtain user authentication
(e.g. validation of a username and password) from an outside
authentication service, often via a Pluggable Authentication Module
(PAM) style interface. The service authorization in traditional SSH
server implementations comes via the restrictions that the operating
system (OS) shell (and file system, etc.) place on the user by means
of access controls tied to the username or the username's membership
in various user groups. These OS-style access controls are distinct
from the service provisioning features of RADIUS. If we wish to use
existing SSH server implementations, or slightly adapt them, for use
with SNMP Transport Models, and we wish to support RADIUS-provisioned
service authorization, we need to be aware that the RADIUS service
authorization information will need to be obtained by the relevant
SNMP modules from the SSH module.
One reason that RADIUS-provisioned service authorization is important
is that in many deployments the RADIUS server's back-end
authentication database contains credentials for many classes of
users, only a small portion of which may be authorized to access the
management interfaces of managed entities (NASes) via SNMP. In the
absence of RADIUS-provisioned service authorization, network
management access may be granted to unauthorized, but properly
authenticated, users.
Data object access control authorization in SNMP is handled by the Data object access control authorization in SNMP is handled by the
Access Control Subsystem (ACS), instantiated as various Access Access Control Subsystem (ACS), instantiated as various Access
Control Models. The SNMP architecture, as described in RFC 3411, Control Models. The SNMP architecture, as described in RFC 3411,
explicitly mandates the separation of authentication and explicitly mandates the separation of authentication and
authorization operations in order to retain modularity of the SNMP authorization operations in order to retain modularity of the SNMP
system. The Abstract Service Interface (ASI) of the ACS uses method- system. The Abstract Service Interface (ASI) of the ACS uses method-
independent parameters, including securityName, to determine access independent parameters, including securityName, to determine access
control rights. A detailed description of how an Access Control control rights. A detailed description of how an Access Control
Model (ACM) might utilize the services of a RADIUS client to obtain Model (ACM) might utilize the services of a RADIUS client to obtain
access control policy information is the topic of current research, access control policy information is the topic of current research,
skipping to change at page 7, line 28 skipping to change at page 8, line 4
attributes, as described herein, to inform the decision whether to attributes, as described herein, to inform the decision whether to
accept or reject the authentication request. accept or reject the authentication request.
2.2. RADIUS Authorization for Transport Protocols 2.2. RADIUS Authorization for Transport Protocols
In compliance with RFC 2865, NASes MUST enforce implicitly mandatory In compliance with RFC 2865, NASes MUST enforce implicitly mandatory
attributes, such as Service-Type, within an Access-Accept message. attributes, such as Service-Type, within an Access-Accept message.
NASes MUST treat Access-Accept Messages that attempt to provision NASes MUST treat Access-Accept Messages that attempt to provision
unsupported services as if they were an Access-Reject. NASes SHOULD unsupported services as if they were an Access-Reject. NASes SHOULD
treat unknown attributes as if they were provisioning unsupported treat unknown attributes as if they were provisioning unsupported
services. See [radius-fixes] for additional details. services. See [RFC5080] for additional details.
A NAS that is compliant to this specification, MUST treat any RADIUS A NAS that is compliant to this specification, MUST treat any RADIUS
Access-Accept message that provisions a transport protocol (e.g. Access-Accept message that provisions a transport protocol (e.g.
SSH) that cannot be provided, and/or application service (e.g. SNMP) SSH) that cannot be provided, and/or application service (e.g. SNMP)
that cannot be provided over that transport, as if an Access-Reject that cannot be provided over that transport, as if an Access-Reject
message had been received instead. The RADIUS Service-Type attribute message had been received instead. The RADIUS Service-Type attribute
is the primary indicator of the service being provisioned, although is the primary indicator of the service being provisioned, although
other attributes may also convey service provisioning information. other attributes may also convey service provisioning information.
Specific attributes for use with SNMP Transport Models are Specific attributes for use with SNMP Transport Models are
recommended in this document. recommended in this document.
skipping to change at page 8, line 32 skipping to change at page 9, line 7
present in a RADIUS Access-Accept message, to determine whether the present in a RADIUS Access-Accept message, to determine whether the
session can be created and MUST enforce the service provisioning session can be created and MUST enforce the service provisioning
decisions of the RADIUS server. decisions of the RADIUS server.
The following RADIUS attributes SHOULD be used, as hint attributes The following RADIUS attributes SHOULD be used, as hint attributes
included in the Access-Request message to signal use of SNMP over a included in the Access-Request message to signal use of SNMP over a
secure transport to the RADIUS server: secure transport to the RADIUS server:
1. Service-Type with a value of Framed-Management. 1. Service-Type with a value of Framed-Management.
2. Framed-Management-Protocol with a value of SNMP. 2. Framed-Management-Protocol with a value of SNMP.
3. Management-Transport-Protocol with a value of SSH, TLS, or DTLS 3. Management-Transport-Protection with a value of Integrity-
as appropriate. Confidentiality-Protection.
Refer to [radman] for a detailed description of these attributes. Refer to [radman] for a detailed description of these attributes.
From the perspective of the RADIUS Server, these attribute and value From the perspective of the RADIUS Server, these attribute and value
pairs indicate that the user is requesting to use SNMP over an SNMP pairs indicate that the user is requesting to use SNMP over an SNMP
Transport Model. Transport Model.
The following RADIUS attributes are used in an Access-Accept message The following RADIUS attributes are used in an Access-Accept message
to provision SNMP over a secure transport: to provision SNMP over a secure transport:
1. Service-Type with a value of Framed-Management. 1. Service-Type with a value of Framed-Management.
2. Framed-Management-Protocol with a value of SNMP. 2. Framed-Management-Protocol with a value of SNMP.
3. Management-Transport-Protocol with a value of SSH, TLS, or DTLS 3. Management-Transport-Protection with a value of Integrity-
as appropriate. Confidentiality-Protection.
Refer to [radman] for a detailed description of these attributes. Refer to [radman] for a detailed description of these attributes.
From the perspective of the NAS, these attribute and value pairs From the perspective of the NAS, these attribute and value pairs
indicate that the user is authorized to use SNMP using an SNMP indicate that the user is authorized to use SNMP using an SNMP
Transport Model. Transport Model.
The following RADIUS attributes MAY be optionally used, to authorize The following RADIUS attributes MAY be optionally used, to authorize
use of SNMP over the default UDP transport protocol: use of SNMP over the default UDP transport protocol (no privacy):
1. Management-Transport-Protocol with a value of Default. 1. Management-Transport-Protection with a value of No-Protection.
Refer to [radman] for a detailed description of this attribute. From Refer to [radman] for a detailed description of this attribute. From
the perspective of the NAS, this attribute and value pair indicates the perspective of the NAS, this attribute and value pair indicates
that the user is authorized to use SNMP using the default SNMP that the user is authorized to use SNMP using the default SNMP
transport protocol. transport protocol, without a protected transport.
The following RADIUS attributes are used to limit the extent of a The following RADIUS attributes are used to limit the extent of a
secure transport session carrying SNMP traffic, in conjunction with secure transport session carrying SNMP traffic, in conjunction with
an SNMP Transport Model: an SNMP Transport Model:
1. Session-Timeout 1. Session-Timeout
2. Inactivity-Timeout. 2. Inactivity-Timeout.
Refer to [RFC2865] for a detailed description of these attributes. Refer to [RFC2865] for a detailed description of these attributes.
From the perspective of the NAS, these attributes indicate session From the perspective of the NAS, these attributes indicate session
skipping to change at page 10, line 16 skipping to change at page 10, line 30
Request Accept Reject Challenge # Attribute Request Accept Reject Challenge # Attribute
--------------------------------------------------------------------- ---------------------------------------------------------------------
0-1 0 0 0 1 User-Name [RFC2865] 0-1 0 0 0 1 User-Name [RFC2865]
0-1 0 0 0 2 User-Password [RFC2865] 0-1 0 0 0 2 User-Password [RFC2865]
0-1 0 0 0 4 NAS-IP-Address [RFC2865] 0-1 0 0 0 4 NAS-IP-Address [RFC2865]
0-1 0-1 0 0 6 Service-Type [RFC2865] 0-1 0-1 0 0 6 Service-Type [RFC2865]
0-1 0-1 0 0-1 24 State [RFC2865] 0-1 0-1 0 0-1 24 State [RFC2865]
0 0-1 0 0 27 Session-Timeout [RFC2865] 0 0-1 0 0 27 Session-Timeout [RFC2865]
0 0-1 0 0 28 Idle-Timeout [RFC2865] 0 0-1 0 0 28 Idle-Timeout [RFC2865]
0-1 0-1 0-1 0-1 80 Message-Authenticator [RFC3579] 0-1 0-1 0-1 0-1 80 Message-Authenticator [RFC3579]
0-1 0-1 0 0 TBA Framed-Management-Protocol 0-1 0-1 0 0 TBA Framed-Management-Protection
[radman] [radman]
0-1 0-1 0 0 TBA Management-Transport-Protocol 0-1 0-1 0 0 TBA Management-Transport-Protection
[radman] [radman]
0 0+ 0 0 TBA Management-Policy-Id [radman] 0 0+ 0 0 TBA Management-Policy-Id [radman]
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in a packet. 0 This attribute MUST NOT be present in a packet.
0+ Zero or more instances of this attribute MAY be present in 0+ Zero or more instances of this attribute MAY be present in
a packet. a packet.
0-1 Zero or one instance of this attribute MAY be present in 0-1 Zero or one instance of this attribute MAY be present in
a packet. a packet.
skipping to change at page 11, line 6 skipping to change at page 11, line 20
RFC. RFC.
5. Security Considerations 5. Security Considerations
This specification describes the use of RADIUS for purposes of This specification describes the use of RADIUS for purposes of
authentication and authorization. Threats and security issues for authentication and authorization. Threats and security issues for
this application are described in [RFC3579] and [RFC3580]; security this application are described in [RFC3579] and [RFC3580]; security
issues encountered in roaming are described in [RFC2607]. issues encountered in roaming are described in [RFC2607].
Additional security considerations for use of SNMP with secure Additional security considerations for use of SNMP with secure
Transport Models [sshtm] and the Transport Security Model [sshtm] are Transport Models [tmsm] and the Transport Security Model [tsm] are
found in the Security Considerations sections of the respective found in the Security Considerations sections of the respective
documents. documents.
Note that if the SNMP Message Processing Module selects the SNMPv1 or Note that if the SNMP Message Processing Module selects the SNMPv1 or
SNMPv2c Security Model as the security model to use (because the SNMPv2c Security Model as the security model to use (because the
message is SNMPv1 or SNMPv2), then securityName comes from the message is SNMPv1 or SNMPv2), then securityName comes from the
community name, as per RFC3584. This may not be what is expected community name, as per RFC3584. This may not be what is expected
when using an SNMP secure Transport Model. when using an SNMP secure Transport Model.
Note that if the SNMP User-based Security Model is selected (because Note that if the SNMP User-based Security Model is selected (because
skipping to change at page 11, line 48 skipping to change at page 12, line 19
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000. RFC 2865, June 2000.
[RFC4252] "The Secure Shell Authentication Protocol", 2005. [RFC4252] "The Secure Shell Authentication Protocol", 2005.
[radman] Nelson, D. and G. Weber, "Remote Authentication Dial-In [radman] Nelson, D. and G. Weber, "Remote Authentication Dial-In
User Service (RADIUS) Authorization for Network Access User Service (RADIUS) Authorization for Network Access
Server (NAS) Management", Server (NAS) Management",
draft-ietf-radext-management-authorization-01.txt (work in draft-ietf-radext-management-authorization-02.txt (work in
progress), November 2007. progress), February 2008.
[sshtm] Harrington, D. and J. Salowey, "Secure Shell Transport [sshtm] Harrington, D. and J. Salowey, "Secure Shell Transport
Model for SNMP", draft-ietf-isms-secshell-09.txt (work in Model for SNMP", draft-ietf-isms-secshell-09.txt (work in
progress), November 2007. progress), November 2007.
[tmsm] Harrington, D. and J. Schoenwaelder, "Transport Subsystem [tmsm] Harrington, D. and J. Schoenwaelder, "Transport Subsystem
for the Simple Network Management Protocol (SNMP)", for the Simple Network Management Protocol (SNMP)",
draft-ietf-isms-tmsm-11.txt (work in progress), draft-ietf-isms-tmsm-11.txt (work in progress),
November 2007. November 2007.
[tsm] Harrington, D., "Transport Subsystem for the Simple [tsm] Harrington, D., "Transport Security Model for SNMP",
Network Management Protocol (SNMP)",
draft-ietf-isms-transport-security-model-07.txt (work in draft-ietf-isms-transport-security-model-07.txt (work in
progress), November 2007. progress), November 2007.
7.2. Informative References 7.2. Informative References
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming", RFC 2607, June 1999. Implementation in Roaming", RFC 2607, June 1999.
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network Access Control Model (VACM) for the Simple Network
skipping to change at page 12, line 37 skipping to change at page 13, line 5
December 2002. December 2002.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003. Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
"IEEE 802.1X Remote Authentication Dial In User Service "IEEE 802.1X Remote Authentication Dial In User Service
(RADIUS) Usage Guidelines", RFC 3580, September 2003. (RADIUS) Usage Guidelines", RFC 3580, September 2003.
[radius-fixes] [RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication
Nelson, D. and A. DeKok, "Common RADIUS Implementation Dial In User Service (RADIUS) Implementation Issues and
Issues and Suggested Fixes", Suggested Fixes", RFC 5080, December 2007.
draft-ietf-radext-fixes-08.txt (work in progress),
September 2007.
Authors' Addresses Authors' Addresses
Kaushik Narayan Kaushik Narayan
Cisco Systems, Inc. Cisco Systems, Inc.
10 West Tasman Drive 10 West Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
USA USA
Phone: +1 408-526-8168 Phone: +1 408-526-8168
skipping to change at page 14, line 7 skipping to change at page 14, line 7
Elbrys Networks, Inc. Elbrys Networks, Inc.
75 Rochester Ave, Unit #3, 75 Rochester Ave, Unit #3,
Portsmouth, NH 03801 Portsmouth, NH 03801
USA USA
Phone: +1 (603) 570-2636 Phone: +1 (603) 570-2636
Email: d.b.nelson@comcast.net Email: d.b.nelson@comcast.net
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
 End of changes. 21 change blocks. 
33 lines changed or deleted 56 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/